[SSSD-users] SSSD and backup/restore after system failure
In a scenario in which an sssd node joined to Active Directory crashed and had to be rebuilt, restoring key files from backup, other than the obvious files in /etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases (/var/lib/sss/db ?) that would have to be restored (ctdb already handles Samba related databases like secrets.tdb) in order to recover a system after failure. What sssd files (if any) other than those in /etc directory would be required to restore a system that is joined to an AD domain after failure? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] sssd and clustering/ctdb
We were noticing some strange problems in two node clustered (ctdb/samba) sssd, cases in which both nodes joined AD fine, but "getent passwd " worked for only a subset of the remote AD users on one node, but worked fine on the other.The config seemed to be identical on the two nodes - didn't see any obvious problems with sssd configuration, but clearly the two nodes behave differently. Are there instructions on setting up sssd in clustered environment (e.g. presumably similar to the clustered ctdb/samba/ceph or gluster that RHEL might ship)? or for the clustered case is it safer to simply use winbind? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: sssd and clustering/ctdb
And I did check the obvious - googling for "clustered sssd" or "sssd and ctdb" didn't come up with much useful in the last year (mostly a few threads that are out of date from 2 or 3 years ago). ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] excessive number of adcli-krb5 tmp files
I noticed that on one of our test systems running sssd we have about 150 /tmp/adcli-krb5-* files (they already take up about 600K after a few days) and have contents similar to a krb5.conf file snippet # cat /tmp/adcli-krb5-a1klQy/krb5.d/adcli-krb5-conf-sM7Ia1 [realms] VWQA.LOCAL = { kdc = vwqadc02.vwqa.local:88 master_kdc = vwqadc02.vwqa.local:88 kpasswd_server = vwqadc02.vwqa.local } [domain_realm] vwqadc02.vwqa.local = VWQA.LOCAL vwqadc02.vwqa.local = VWQA.LOCAL Any idea why there are so many of them - and what keeps creating them? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] uid -> sid mapping in Samba with sssd
It wasn't obvious from the documentation whether with sssd-libwbclient (only, ie without sssd-winbind-idmap installed and configured in smb.conf, since sssd-winbind-idmap is not available in most versions of RHEL7 as it was only recently added), Samba's uid_to_sid(function) can always do the lookup uid_to_sid to AD if using winbind but it wasn't clear whether this would work with sssd-libwbclient (only) installed and what additional Samba configuration is needed for that. Without this the owner of a file (viewed from the WIndows client) from Explorer GUI looks like "Unix user\1" rather than "user@domain" (as it would for Windows to Windows, or if Winbind were running on the Samba server joined to AD) ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: excessive number of adcli-krb5 tmp files
We do see errors in the log, although not clear yet if the large number of them were due to sssd service not being restarted (we fixed that and still saw the same two errors in the logs - just not sure if as often) "(Wed Jan 25 21:50:20 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]" in the sssd log and about 7000 occurrences in the ldap log of [[sssd[ldap_child[7916 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Preauthentication failed ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] SSSD and nested AD domains
I haven't been able to find much useful information on how sssd (if at all) handles child domains in Active Directory. If you join an AD domain, presumably you can authenticate any users in the children domains, but what happens when you do "getent" do you expect to see users of the child domain reflected in the getent (since you are joined to the parent)? Do you expect to always be able to lookup users SIDs and UIDs from the children of the domains you joined? What about the parents? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] RFC2307bis and partially configured Active Directory Domains
One of the more common cases for sssd (or winbind) with RFC2307 seems to be getting uids/gids from Active Directory domains, but few Active Directories have all of their users/groups configured for the POSIX uid/gid. How can you configure sssd behavior for this common case (among the three behaviors that might be desired): 1) query AD for the Unix uid/gid and fail if that particular user is not configured with a uid (this seems to be what sss always does and isn't really practical given how unlikely that AD is configured perfectly for unix uids) 2) query AD for the Unix uid/gid and if that user is not configured with a uid map to a default uid (uid of something like "guest" or "defaultuser" or whatever) 3) query AD for the Unix uid/gid and if that user is not configured with a uid map algorithmically I didn't see much useful on this topic at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html#SSSD-AD If sssd doesn't do that, is this a case where winbind can do it better? or is there a way to configure nssswitch passwd line to fallback to a 3rd trivial alternative (files sss default e.g.) that provides a default uid for a user@domain who does not have a uid/gid configured in AD? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] wbinfo-like tool for sssd
When debugging sssd it would be nice to be able to do various operations that getent can't do (e.g. 'name-to-sid' or 'sid-to-uid' etc.) or nss is not configured to do (testing that auth works e.g.) and the wbinfo tools has a pretty good list of the typical things that an admin or developer would want to do to test sssd or winbind, but ... I couldn't find an sssd equivalent of wbinfo and it looks like this is a know issue, e.g. I saw this thread http://serverfault.com/questions/795004/what-is-the-sssd-equivalent-for-wbinfo and others. Is there any work in progress on an sssd equivalent of wbinfo? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: realm join and net join incompatibilities
Yes - that looks like it works (updating /usr/lib64/realmd/realmd-defaults.conf to point to a 'net wrapper' that strips that parm out) ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: Multiple Active Directory Domain Controllers - what if one is down ...
Do you guys prefer 'authconfig' to configure sssd rather than realm or some other tools? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Multiple Active Directory Domain Controllers - what if one is down ...
In testing using "realm join" to join an Active Directory domain with two domain controllers, we ran into a problem where "realm join" would fail when one of the two Domain Controllers were down.It looks like in a common case where nslookup shows two entries for myrealm.ad.test but the first one is down (can't ping it), that realmd doesn't try the second one automatically - but rather fails the 'realm join' ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] realm join and net join incompatibilities
In tracing through problems with realm join (in a Samba/ctdb cluster), I was noticing that realm join implicitly calls 'net ads join' (which should be a good thing) but it passes '-s' with a temporary smb.conf to 'net ads join' (which is a bad thing since it leaves out clustering=yes and the include=registry). What I was noticing was that to get sssd AND Samba to work after 'realm join' you had to run 'net ads join' (explicitly) on at least one node of the cluster (but that is risky because then sssd doesn't know about the keytab update that 'net ads join' just did). If you don't run 'net ads join' after 'realm join' - Samba will fail because it doesn't think it is joined to a domain (so session setups to it will get a 'NO_LOGON_SERVER' error, and 'net ads testjoin' will show it is not joined as well) - presumably because the 'net ads join' that realmd does implicitly on 'realm join' has the wrong smb.conf passed in to it (with no clustering). Comparing traces of the two joins - the main difference I see is that there are no ctdb related events logged in the 'realm join' implicitly called 'net ads join' (and secrets.tdb is missing the entry for the domain on all nodes). Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather than the temporary one it chooses during 'net ads join' or 2) how to safely do a 'net ads join' after 'realm join' (and not confuse sssd)? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] realm join taking more than 5 minutes - waiting on password which was already entered
In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join" taking more than 5 minutes (which timed out in our cli, and running realm directly worked but took ~6 minutes when normally would take a few seconds). As you can see from the verbose output below the two longest stretches (greater than 2 minutes! each) were waiting between launching "net ads join" and piping the password in (and similarly "net ads keytab create" had a long delay between starting the command and giving it the password). Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling out to realm_command_runv_async it was not obvious why there should be any delay between the launch of the net command the passing of the password (I did see one report of "net ads keytab create" hanging if the keytab already existed but that is not the same problem as this). Any idea how/why such long delays between launching net and inputting the password in realmd async code? > 5 minutes is a long time to do something that usually completes in 10 seconds 2017-08-01 19:54:09 realmd[14197]: * Performing LDAP DSE lookup on: ... 2017-08-01 19:54:09 realmd[14197]: * Successfully discovered ... 2017-08-01 19:54:10 realmd[14197]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net 2017-08-01 19:54:10 realmd[14197]: * Joining using a manual netbios name: 2017-08-01 19:54:10 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.0DFU4Y -U ads join 2017-08-01 19:56:42 realmd[14197]: Enterpassword: 2017-08-01 19:56:42 realmd[14197]: Using short domain name -- 2017-08-01 19:56:42 realmd[14197]: Joined ... to dns domain ... 2017-08-01 19:56:42 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.0DFU4Y -U ads keytab create 2017-08-01 19:59:33 realmd[14197]: Enter password: Any ideas why realmd's async processing (basically passing the password to the underlying "net ads join" etc.) is doing this? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org